πŸ‡ Rabbithole ← All lessons Work with us β†’
Data privacy & AI 01 / 05
Day 27 of 30 Β· Learn by clicking Β· ~4 minutes

When you use AI, where does your data actually go?

Data privacy with AI comes down to one plain question: when you type something in or connect an account, where does that information travel, and who can see or keep it? Think of it like handing a document to a courier: the only thing that matters is who you hand it to, where they carry it, and whether they make a copy on the way.

Almost everything you do with AI lands in one of three places. Knowing which one is the whole game:

On your device
Runs locally. Nothing leaves your computer.
Most private
Sent to a vendor's API
An API is the pipe software uses to talk. Your text goes to their server, gets a reply, comes back.
Normal & common
Used to train the model
Your data is kept and learned from for future versions.
Read the terms
πŸ“„ PII = personally identifiable info (names, emails, addresses) πŸ’³ Sensitive = payment, health, anything you would not post publicly πŸ” Training is often off by default on business tiers

Most people lump all three together and assume the worst. They are very different. The next panel clears up the single biggest misunderstanding.

02 / 05 Β· The myth

"Anything I type into AI gets used to train it and becomes public."

This is the fear that keeps small businesses from touching AI at all. It is mostly wrong, and the truth is more useful than the myth.

🧨 The myth

Every word you type is swallowed up, learned from, and could surface in someone else's answer. So AI is unsafe for any real business data.

βœ“ What is actually true

"Sent to a vendor" and "used for training" are two separate things. Your text is usually sent to the vendor to get an answer (that is just how the pipe works), but whether it is kept and trained on is a setting, and on most paid and business tiers, training is off by default. As of writing, major providers state that business and API usage is not used to train their models unless you opt in. The catch: defaults differ by plan and they change, so the rule is simple. Read the terms for the exact plan you are on.

πŸ—£οΈ The scary version

What people assume.

  • – Every prompt trains the model
  • – Your data could appear in a stranger's chat
  • – Nothing is ever private
  • – So never use it for business

πŸ”Ž The real version

How it actually works.

  • βœ“ Sent-to-vendor and used-for-training are separate
  • βœ“ Training is often off by default on paid or business tiers
  • βœ“ You can usually turn it off and choose what to share
  • βœ“ The terms tell you exactly, for your plan
The key: the question is never "is AI private?" It is "where does this specific data go, on this specific plan?" That you can actually answer, and it is what the live tool on the next panel walks you through.
03 / 05 Β· Watch it work

"Where does it go?" Pick a move and trace it.

Choose something you might really do with AI. The tool maps where that data travels, flags what is sensitive, and gives you the one question to ask before you do it.

πŸ“¦ The data in play
🧭 Where it travels (the highlighted hops appear in order)
Ask this first Press the button to trace this move.
Private This runs entirely in your browser. Nothing is typed, sent, fetched, or uploaded anywhere.

πŸ’‘ The travel maps here are illustrative and simplified. Your real path depends on the exact tool and plan, so always check its terms.

04 / 05 Β· Use it safely

How to vet an AI tool with your data on the line.

This deepens the "5 questions" from Day 1. Run any AI vendor through these before you connect a single real account. If they cannot answer, that is your answer.

  • 1. Where does my data go? On-device, sent to their server for an answer, or kept? Get it in plain words, not a link to a 40-page policy.
  • 2. Is it used for training? What is the default on my plan, and can I turn it off? (Often off by default on paid and business tiers, but confirm.)
  • 3. What counts as sensitive here? Customer PII, payment details, health info. Decide what should never go in, and do not paste it.
  • 4. Least privilege: how much access does it really need? Connect read-only when you can, scope it to one inbox or folder, not your whole account.
  • 5. Can I revoke it in one click? You should be able to disconnect access and delete stored data easily, on your own, without emailing support.

πŸ›‘οΈ Least privilege means giving a tool the smallest access that still does the job. Read-only and tightly scoped beats full access every time, because the worst case is so much smaller.

05 / 05 Β· Done

You now understand AI data privacy better than most people who use it daily.

You can tell on-device from sent-to-a-vendor from used-for-training, you know the myth is mostly wrong, and you have a real checklist: name what is sensitive, connect read-only, scope tight, and keep the off switch in reach.

The point was never to fear AI. It was to use it on your terms. Read-only by default, sensitive data kept out, training off, access you can revoke in a click. That is exactly how we build it.

We build AI that keeps your data yours, read-only by default, on your terms. Work with us β†’
See this idea doing real work
What is an MCP?The read-only, tightly scoped connection, in pictures. Build your first MCPA real, read-only kit you run on your own machine. Lead catcherCapture leads with your data staying yours. All 30 lessons β†’The full track, free and plain-English.
Built by rabbithole.consulting: custom-built infrastructure that runs your business. This lesson runs entirely in your browser, nothing is sent anywhere.